Syntax of the userdn Keyword

The userdn keyword can alternatively be expressed
as an LDAP URL filter. For information about expressing the userdn keyword
as an LDAP URL, see LDAP URLs in the userdn Keyword.

dn can have of the following values:

distinguished-name

A fully qualified DN. Characters that are syntactically significant
for a DN, such as commas, must be escaped with a single backslash (\).
The wildcard * can be used to specify a set of users. For
example, if the following user DN is specified, users with a bind DN beginning
with the letter b are allowed or denied access:

uid=b*,dc=example,dc=com

anyone

Allows or denies access for anonymous and authenticated users,
regardless of the circumstances of the bind.

This access can be limited to specific types of access (for example,
access for read or access for search) or to specific subtrees or individual
entries within the directory. The following ACI on the dc=example,dc=com node allows anonymous access to read and search the entire dc=example,dc=com tree.

Allows or denies access for authenticated users. This all value prevents anonymous access. The following ACI on the dc=example,dc=com node allows authenticated users to read the entire dc=example,dc=com tree:

Allows or denies users access to their own entries if the
bind DN matches the DN of the targeted entry. The following ACI on the dc=example,dc=com node allows authenticated users in the dc=example,dc=com tree
to write to their userPassword attribute.